With your consent our website uses own cookies and third-party cookies to identify you and to send advertising messages in line with your online navigation preferences. Without your consent we will only use anonymized cookies, e.g session cookies. If you want to know more or refuse consent to some cookies, click here.

SICK Product Security Incident Response Team (SICK PSIRT)

SICK AG products and services are subject to the highest quality requirements. That is why cyber security is taken into account and tested in the development phase. To ensure that products and services are secure throughout their entire service life, reports on possible vulnerabilities are taken very seriously and handled with the greatest sense of responsibility. Uncovering vulnerabilities is understood as a common goal of different parties with the aim of offering our customers a consistently high level of security.

The SICK Product Security Incident Response Team (SICK PSIRT)

The SICK PSIRT is the central team of SICK AG which is authorized to answer reports regarding the cyber security of products, solutions and services as well as provide information. All reports concerning potential vulnerabilities or other security incidents connected to SICK AG products can be passed on to the SICK PSIRT.

The SICK PSIRT manages the inspection, internal coordination and disclosure of security vulnerabilities. A security advisory is issued for confirmed vulnerabilities as soon as a solution is available. If the situation requires, a security advisory with the measures to be taken is sent out before an update is available.

Reports on potential vulnerabilities or other incidents are more than welcome from anyone, regardless of their customer status. SICK AG respects and takes into account the different interests of reporters and encourages the reporting of information to the SICK PSIRT. The aim is to follow a process of coordinated disclosure of vulnerabilities (coordinated vulnerability disclosure).

Reporting a vulnerability

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

Contact information and availability

Affected product including model and version number

Classification of the vulnerability (buffer overflow, XSS, …)

Detailed description of the vulnerability (with verification if possible)

Effect of the vulnerability (if know)

Current level of awareness of the vulnerability (are there plans to disclose it?)

(Company) affiliation of the reporter (if reporter is prepared to provide such information)

CVSS score (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

Encrypted reports are preferred to protect sensitive information and data. German and English are accepted.

The SICK PSIRT is happy to provide additional information about its operating principle or answer general questions about reports of vulnerabilities. If you have any other questions or concerns not related to security, we ask that you contact SICK AG customer service. The SICK PSIRT cannot provide information about these issues.